Hendon Publishing - Article Archive Details

Online investigative techniques for non-tech crimes

Written by Mike Bazzell

Every investigator possesses an arsenal of investigative techniques and resources that are collected throughout a career. Often, these tools are tweaked by the individual and later applied to a wide variety of cases. While computer-related crime utilizes a brand-new category of investigative techniques, these methods are not solely for crimes involving computers or technology. There is a wealth of free resources available to anyone, including law enforcement, which often gets overlooked. Such resources can yield potential evidence against an offender of various types of crimes. Recently law enforcement has taken serious notice of a new digital presence in evidence collection. This article is an introduction to the possibilities just waiting to be utilized in daily investigations. Technology has changed the world forever. For better or worse, all are affected by the World Wide Web and the gadgets that work with it. Computers, recordable discs and cellular telephones are high on the list of items to be taken from a crime scene. These items are then given to the experts who prepare reports of the content analyzed on these devices. While this is a great and vital resource, there is still a plethora of digital evidence that any investigator is capable of researching.

Internet search engines such as Google have made locating information quickly easy enough for even the first-time computer user. Typing a suspect’s name on Google.com can reveal surprising information. Results may include any online associates, e-mail addresses, business affiliates or hobby involvement. This is just the first basic step. If the suspect has a common name, try a search with quotes placed around the name of the suspect and add the city he or she lives in. This will help refine the results. Typing a name into images.google.com will search for any photos of a subject and blogsearch.google.com will search for the presence of various weblog sites, which usually possess commentary on various events.

For more in-depth information, sites such as 123people.com and wink.com focus only on obtaining information about an individual. This includes checking all the social networking sites such as Myspace.com and Facebook.com, various online communities, and even the competition’s sites for any profile information on an individual. The site 123people.com retrieves photographs and videos associated with the individual, which link to the original source. This site also provides residence addresses, phone numbers, e-mail addresses, weblog entries, biographies, and often reviews that the individual may have left on sites such as Amazon.com. A quick check of anyone’s name provides surprising results.

Searching these social network sites can provide a large amount of leads for investigations involving runaways, missing children or child abductions. A common trend for runaways is to meet someone online and use that relationship to generate a hideout place. Researching a missing child’s profile for historical comments from subjects on the “Friends” list could lead to potential suspects or people of interest. Because most teenagers like to share everything about themselves on the Internet, law enforcement now has another avenue of investigation involving minors.

If it is discovered that the target has an online presence, the next level of investigation begins. Photo sharing sites such as flickr.com and shutterfly.com may provide an unbelievable source of visual information including the family members, residence interiors, vehicles or weekend activities of a target. If a tactical team is planning to pay a visit to a house, it would be helpful to have a view of the inside of the house beforehand.

Surprisingly, criminals do stupid things. Some have been known to post descriptions, photographs and even videos on the Internet of their crimes to show off to their friends. Why shouldn’t law enforcement take a look? Sites such as video.google.com scour all of the video posting sites like youtube.com to provide a one-stop video site. A common search for law enforcement may be to type in their home town and see what appears. Alternatively, input a suspect’s name or details of a crime to expand the search. Previous searches have resulted in photographs of a proud graffiti artist destroying government property, and video of an out-of-control fight that later made national news. This evidence makes a great companion to any interrogation. If a video is located, a site like keepvid.com allows for easy download of the actual video for evidence submission.

If during these searches a screen name is discovered, the next stop should be usernamecheck.com. Input the user name or screen name, and this site will check dozens of user sites for the same name. This will provide a direct link to that user’s profile page which could provide more details on the individual and possibly more evidence. It is common for a person to choose a unique screen name and carry it over to many sites.

Burglary and thefts are reported on a daily basis at most police departments. In the past, an investigator would scour the pawn shop slips hoping to discover a stolen item. Today, the criminals are using the Internet to unload their stolen goods. Sites such as ebay.com and craigslist.com offer a playground for criminals to find the perfect buyer.

The site craigslist.com is split into geographical sections. Going to a regional area’s page will provide a classified ad-type search page where a specific item can be searched for. An advanced search option on ebay.com allows one to only look within a designated mileage radius of a zip code. Once a stolen item is located, one could arrange to pick it up. Chances are the criminals will bring the item themselves. This can lead to the rare situation where a criminal sends an e-mail stating he or she will personally bring the stolen items to a police officer eagerly waiting with cuffs in hand. Alternatively, subpoenas will also provide information about the person that posted the item. Chances are that most officers prefer the first option.

Online maps are nothing new. Most officers have used them to get directions or view an area’s layout. These online maps, such as maps.google.com and maps.live.com offer detailed views never available before. Google maps offer a “Street View” that will give anyone a 360-degree digital image of an address from the street. This will often provide a visual image of vehicles in the driveway, the residence exterior, and a real view of any obstructions to the front door. Again, tactical guys love this. Another view can be accessed from maps.live.com. This is referred to as Bird’s Eye View and it provides four separate angles of any house taken from satellites in space. Utilizing the zoom button will present surprisingly detailed images of any address. Recent trends with online postings usually include an abundance of comments from viewers on a site. Practically every online article, blog, product review and news source utilizes a feature that allows readers to post opinions for all to see. A new site called backtype.com searches this information. Originally designed to follow comments to something posted by the user, it can equally be used by law enforcement to search for comments left by a suspect. Input a name, screen name or anything else associated with the target to locate information relevant to the target. Many of these techniques could also be used to locate a fugitive. A good investigator always thinks outside of the box, and what better box than the Internet? Dating Web sites such as match.com, personals.yahoo.com and craigslist.com usually include a photograph of the person posting the profile. If one were looking for a male fugitive in St. Louis, the investigator may want to search these sites. The investigator would type in that he was a female looking for a male in the St. Louis area, any age, with a photo. This will immediately provide several profiles, viewable by photo. When one finds the wanted suspect, simply arrange for a date. These sites do require a profile, but fraudulent information is accepted. Using an attractive undercover photo will better your chances and also provide a better response from the suspect.

If photos are ever located and appear of evidentiary value, saving these photos is vital. If the image was taken with a modern digital camera, it will possess what is called EXIF data. Basically, this is hidden data about the photo including camera make and model, serial number, owner of camera, date and time of photo, and occasionally GPS data if the camera supports it. Using a free downloadable EXIF viewer such as EXIF Pilot Lite (http://www.colorpilot.com/exiflite.html will display the EXIF data on any photo selected. Alternatively, online resources will do the same thing without installing a program. Visiting www.regex.info/exif.cgi will present an option to load a photo. Selecting any photo either on a computer or on a Web site will immediately display any EXIF data. Consider the following hypothetical situation: An image of a stolen item is located on the Internet. Later, a camera was seized during an investigation. Verifying the serial number on the back of the camera as the same serial number in the EXIF data of the photo would be sufficient to prove a nexus to the stolen item and the owner of the camera. Also, if a user has registered a name on the digital camera, this name will be present in the EXIF data. This would be very convenient in identifying a suspect posting illegal material on the Internet.

As easily as EXIF data can help an investigation, it can also destroy an investigation. Covert operations that may involve transmission of digital images are at risk of revealing the source. It could be very embarrassing to send a photo of a female during an online prostitution sting and forget that the EXIF data on the image displays a local police department as the owner. Another possibility is that the same camera was used to photograph the police chief for the department’s Web site. A quick check by a tech-savvy criminal would reveal something odd when the serial numbers matched on both photos. A solution to this is to utilize one of the many free programs available on the Internet that will “scrub” the EXIF data from the image. Occasionally, someone will complain about a Web site that is displaying photos of illegal activity, or of other evidentiary value. When the investigator looks at the site, it may have changed or been deleted completely. Fortunately, sites such as archive.org and Google cache are constantly recording and saving the entire Internet. The Wayback Machine (http://www.archive.org/web/web.php) allows the user to input a Web site, and it will display a list of links of dates that the site was catalogued. Clicking any of these links provides a view of that site on that particular date, including photos. Searching for any site using Google will provide an option titled “Cached” below the description. This link will take the user to a previous version of the site before changes or deletions were made. This can be a great trick when the suspect has removed any evidence in fear of an investigation.

Once these techniques are mastered, documenting the results can be extensive. The free Community Edition of Maltego (www.paterva.com/maltego) is a valuable program for larger investigations. With this, one can enter several names, e-mail addresses, phone numbers, or physical addresses and the program will search the Web for most of the items that have been discussed here. In addition, when the program finds common links to multiple targets, it will display a connection to identify the affiliation. A full tutorial on this software exceeds the scope of this article, but is definitely worth researching by the advanced user.

These are a few samples of technical investigation techniques. New sites are created daily and there are always new methods of taking advantage of the digital age. Approaching any informative site as a tool for the investigation toolbox can result in the arrests of some very surprised criminals.

Mike Bazzell is a Detective with the Alton, IL Police Department. He has been investigating high-tech crime for the past 10 years and currently teaches Law Enforcement Officers and Criminal Justice students about Computer Forensics and Technical Investigations. He can be contacted through www.computercrimeinfo.com.